Step by Step guide on Federated Authentication in Windows Azure Web Role using Windows Azure App Fabric Access Control Service

In this article I will show you step by step demonstration of enabling Federated Authentication on Windows Azure Web Role using Windows Azure App Fabric Access Control Service.

You are writing an application and want to make it open for users of all the identity providers. You want users of Facebook, Live, Google; Yahoo etc. should be able to use your application. Probably to achieve this task you will have to implement authentication logic for all types of providers separately. For instance there would be separate authentication logic for Facebook, separate authentication logic for Google and so on.

You outsource this authentication task for separate identity provider to Access Control Service. ACS does the task of authentication for your application.

Image taken from MSDN

In this post, I am focusing on demonstrating step by step process to work with Windows Azure ACS. In later post I will discuss more on theory of Claim Based Authentication

After successful authentication, you need to select Service Bus, Access Control & Caching tab from left panel.

Then choose Access Control from top

You need to have a Namespace.If you are already having a namespace feel free to use that. I assume here you don’t have any namespace created then follow below screens to create namespace.

You need to click on New option at Top panel to create a new namespace.

On clicking of New, you will get Create a new Service Namespace window. For purpose of this article, I am choosing Access Control Service and providing other information in properties tab like Namespace, Country and Subscription

Once Namespace is created you can see that listed. Select newly created Namespace and from top panel choose Access Control Services

Access Control Services will get open in next tab. There from left panel select Identity Providers

On click of Identity providers you can see Windows Live ID is already added. Click on Add button to add another Identity Providers.

On click of Add Button you will get option to add different identity providers. For purpose of this post I am adding Google and Yahoo only.

I have chosen Yahoo. Next you will get prompted to choose Image URL at login screen. This is optional. I have not given any Image URL link here.

In same way you can add Google identity provider as well. After adding all the identity providers you will be getting them listed as below.

Next you need to addRelying Party Application. For that from the left panel click on Relying Part Application and then click on Add button to add new Relying Part Application. You will get screen to Add Relying Party Application. You need to provide all the information on this screen.

You need to provide a friendly name for relying party application. Feel free to give any name of your choice.

Next you need to select identity providers for this relying party. Select all the identity providers we added previously.

Choose to create new rule group.

Select token signing as standard and click on save button to add a relying party application.

Next step you need to create Rule Groups for Relying party application. To create Rule Group click on Rule Groups from left panel and select Add

Next enter name of Rule Group and click on Save button

You will get an error message to generate rule. Click on Generate button to create rule.

Next you will get prompted to provide identity provider to generate rules. Select all listed identity provider and click on Generate button.

On next screen you need to click on save button. After saving in left panel click on Application integration from Development tab. You need WS-Federation MetaData to configure authentication mechanism for application.

Create Windows Azure Web Role and configure for Federated authentication

Now you need to create Windows Azure project. To create open visual studio as administrator and from cloud tab select Windows Azure Project.

Then choose ASP.Net Web Role as part of Windows Azure project.

Here you can write all required code and business logic of your application. Now to use ACS Federated authentication, right click on web application project and select add STS Reference

Now you need to provide

Application Configuration location :Leave default value

Application URI: It would be same as Replying Party Application URI. In our case it is URI of Azure web role running in azure emulator http://127.0.0.1:81/

On clicking of Next Button you will get a warning message that application is not using HTTPS. In real application best practice is to provide certificate and work with secure Http. Proceed with selecting yes.

In Security Token Service check the check box Use and existing STS and there you need to provide Meta Data document location. If you remember in previous step you copied an WS-Federation MetaData URL by clicking on Applicationintegration from Development tab. You need to provide location of XML file from different End Point references.

On next screen choose Disable certificate chain validation.

On next screen select no encryption

On next screen leave the default values and click on next .

Finally click on Finish to complete add process. You should be getting Success message as below,

Last step you need to do is open Web.Config file and edit the entry as below. You need to add below line in rectangle in System.web

Now go ahead and run application. You will get prompted to Sign In. Choose any identity provider to log in to your application

I am choosing Google. I will be redirected to Google Login page

After successful Sign in you will get redirected to the application.

This is all you need to do to perform Federated authentication on Windows Azure web role using Windows Azure App Fabric Access Control Service. I hope this post is useful. Thanks for reading

Well Done Job!! Very nice article. I really enjoyed it during reading. And it also cleared lot of my doubts about Create ASP.Net Web role in Windows Azure Application. You made it very helpful. Check this helpful links too, it helped me in completing my task…..